Bump rails-html-sanitizer from 1.0.4 to 1.4.4#67
Open
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4)
Bumps [rails-html-sanitizer](https://github.com/rails/rails-html-sanitizer) from 1.0.4 to 1.4.4. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/rails/rails-html-sanitizer/releases">rails-html-sanitizer's releases</a>.</em></p> <blockquote> <h2>1.4.4 / 2022-12-13</h2> <ul> <li> <p>Address inefficient regular expression complexity with certain configurations of Rails::Html::Sanitizer.</p> <p>Fixes CVE-2022-23517. See <a href="https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8w">GHSA-5x79-w82f-gw8w</a> for more information.</p> <p><em>Mike Dalessio</em></p> </li> <li> <p>Address improper sanitization of data URIs.</p> <p>Fixes CVE-2022-23518 and <a href="https://github-redirect.dependabot.com/rails/rails-html-sanitizer/issues/135">#135</a>. See <a href="https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-mcvf-2q2m-x72m">GHSA-mcvf-2q2m-x72m</a> for more information.</p> <p><em>Mike Dalessio</em></p> </li> <li> <p>Address possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.</p> <p>Fixes CVE-2022-23520. See <a href="https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rrfc-7g8p-99q8">GHSA-rrfc-7g8p-99q8</a> for more information.</p> <p><em>Mike Dalessio</em></p> </li> <li> <p>Address possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.</p> <p>Fixes CVE-2022-23519. See <a href="https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-9h9g-93gc-623h">GHSA-9h9g-93gc-623h</a> for more information.</p> <p><em>Mike Dalessio</em></p> </li> </ul> <h2>1.4.3 / 2022-06-09</h2> <ul> <li> <p>Address a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.</p> <p>Prevent the combination of <code>select</code> and <code>style</code> as allowed tags in SafeListSanitizer.</p> <p>Fixes CVE-2022-32209</p> <p><em>Mike Dalessio</em></p> </li> </ul> <h2>1.4.2 / 2021-08-23</h2> <ul> <li> <p>Slightly improve performance.</p> <p>Assuming elements are more common than comments, make one less method call per node.</p> </li> </ul> <h2>1.4.1 / 2021-08-18</h2> <ul> <li> <p>Fix regression in v1.4.0 that did not pass comment nodes to the scrubber.</p> <p>Some scrubbers will want to override the default behavior and allow comments, but v1.4.0 only passed through elements to the scrubber's <code>keep_node?</code> method.</p> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/rails/rails-html-sanitizer/blob/master/CHANGELOG.md">rails-html-sanitizer's changelog</a>.</em></p> <blockquote> <h2>1.4.4 / 2022-12-13</h2> <ul> <li> <p>Address inefficient regular expression complexity with certain configurations of Rails::Html::Sanitizer.</p> <p>Fixes CVE-2022-23517. See <a href="https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8w">GHSA-5x79-w82f-gw8w</a> for more information.</p> <p><em>Mike Dalessio</em></p> </li> <li> <p>Address improper sanitization of data URIs.</p> <p>Fixes CVE-2022-23518 and <a href="https://github-redirect.dependabot.com/rails/rails-html-sanitizer/issues/135">#135</a>. See <a href="https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-mcvf-2q2m-x72m">GHSA-mcvf-2q2m-x72m</a> for more information.</p> <p><em>Mike Dalessio</em></p> </li> <li> <p>Address possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.</p> <p>Fixes CVE-2022-23520. See <a href="https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rrfc-7g8p-99q8">GHSA-rrfc-7g8p-99q8</a> for more information.</p> <p><em>Mike Dalessio</em></p> </li> <li> <p>Address possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.</p> <p>Fixes CVE-2022-23519. See <a href="https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-9h9g-93gc-623h">GHSA-9h9g-93gc-623h</a> for more information.</p> <p><em>Mike Dalessio</em></p> </li> </ul> <h2>1.4.3 / 2022-06-09</h2> <ul> <li> <p>Address a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.</p> <p>Prevent the combination of <code>select</code> and <code>style</code> as allowed tags in SafeListSanitizer.</p> <p>Fixes CVE-2022-32209</p> <p><em>Mike Dalessio</em></p> </li> </ul> <h2>1.4.2 / 2021-08-23</h2> <ul> <li> <p>Slightly improve performance.</p> <p>Assuming elements are more common than comments, make one less method call per node.</p> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/rails/rails-html-sanitizer/commit/fd63deaeb22e601237d4d4d12014e7ebd410ea9b"><code>fd63dea</code></a> version bump to v1.4.4</li> <li><a href="https://github.com/rails/rails-html-sanitizer/commit/48ae90acfce9cacbd7cec9963498f6a7b5bc3d5c"><code>48ae90a</code></a> dep: bump dependency on loofah</li> <li><a href="https://github.com/rails/rails-html-sanitizer/commit/0713caf2ee23801cfb85e37065cf406368b20082"><code>0713caf</code></a> fix: escape CDATA nodes using Loofah's escaping methods</li> <li><a href="https://github.com/rails/rails-html-sanitizer/commit/e6d52d3b6db99d07399498b1287997302d444a8d"><code>e6d52d3</code></a> revert 45a5c10</li> <li><a href="https://github.com/rails/rails-html-sanitizer/commit/d1223a29cb3e4151cdcb6ba6c8431708d8ce40a6"><code>d1223a2</code></a> fix: use Loofah's scrub_uri_attribute method</li> <li><a href="https://github.com/rails/rails-html-sanitizer/commit/f0e33477a0557dbdbefc3e470c7df3a64efb002a"><code>f0e3347</code></a> fix: replace slow regex attribute check with Loofah method</li> <li><a href="https://github.com/rails/rails-html-sanitizer/commit/df03f2f600cafff3e349b1ec48b730c43b381b65"><code>df03f2f</code></a> ci: pin system lib test to 20.04</li> <li><a href="https://github.com/rails/rails-html-sanitizer/commit/3e2a0f39f8ede1368436580e1ba02f9e08585858"><code>3e2a0f3</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/rails/rails-html-sanitizer/issues/145">#145</a> from rails/flavorjones-get-14x-green</li> <li><a href="https://github.com/rails/rails-html-sanitizer/commit/11752a6427283e8a836608cd1d3ba27b6fb97f78"><code>11752a6</code></a> tests: handle libxml 2.10.0 incorrectly-opened comment parsing</li> <li><a href="https://github.com/rails/rails-html-sanitizer/commit/f83f08c81a3a33ce0fb1c379933c416ae80672fa"><code>f83f08c</code></a> version bump to v1.4.3</li> <li>Additional commits viewable in <a href="https://github.com/rails/rails-html-sanitizer/compare/v1.0.4...v1.4.4">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/TurtleTony/rails-image-board/network/alerts). </details>
AI Analysis
This issue appears to be discussing a feature request or bug report related to the repository. Based on the content, it seems to be still under discussion. The issue was opened by dependabot[bot] and has received 0 comments.
Add a comment
Comment form would go here